Phishing-resistant Multi-Factor AuthenticationWhat is Authentication? Authentication is the process by which the identity of a user or system is verified. It ensures that the entity attempting to access a resource is who… (MFAWhat is Multi-Factor Authentication? Multi-Factor Authentication (MFA) is a robust security method that enhances digital identity verification by requiring users to provide multiple authentication mechanisms before gaining access to a…) is an authentication method that prevents malicious activity typically brought about through phishingWhat is Phishing? Phishing is a type of cyberattack in which attackers send fraudulent communications, or direct people to counterfeit websites in order to trick those individuals into revealing sensitive… scams. It doesn’t use shared codes or secrets at any point in the authentication process. Phishing-resistant MFA relies on public key cryptography, eliminating more vulnerable mechanisms such as passwords, security questions, OTPs, SMS, links, or push notifications.
There are four critical components of phishing-resistant MFA:
There are two types of phishing-resistant MFA you should be aware of.
Major browsers, operating systems, and smartphones support the most widely available phishing-resistant MFA, FIDOWhat is FIDO? Fast Identity Online (FIDO) is an all-encompassing term typically used to refer to the FIDO Alliance or FIDO authentication standards. The FIDO Alliance is a non-profit organization that…, or WebAuthn authentication. Unlike traditional MFA, FIDO authentication does not use shared secrets, instead leveraging one of the following authenticators:
While less widely available than FIDO authentication, Public Key Infrastructure (PKI) MFA provides strong security, especially for large or complex organizations. A well-known example of PKI-based MFA is the smart cards US government staff use to access their computers.
Only organizations with highly mature identity management practices should use PKI-based authentication. Many standard services and infrastructures don’t support this method, especially when Single Sign-On (SSO) technology isn’t available. Most PKI-based authentication methods use a security chip, usually embedded in a Personal Identity Verification (PIV) or Certificate-Based Authentication (CBA) card, in conjunction with a password or pin.
Organizations looking to implement phishing-resistant MFA should ask themselves the following questions to ensure a smooth and logical migration:
While it is still a relatively new concept, phishing-resistant MFA is becoming increasingly common. Considering the Cybersecurity and Infrastructure Security Agency (CISA) “strongly urges all organizations implement phishing-resistant MFA to protect against phishing and other known cyber threats,” it’s exceedingly likely that most organizations will implement phishing-resistant MFA in coming years.
For more essential cybersecurity definitions, check out our other blogs below: